mirror of
https://github.com/bol-van/zapret.git
synced 2025-01-07 17:00:34 +05:00
separate desync options for http and https
This commit is contained in:
parent
17867c25b7
commit
f6d80e78b4
4
config
4
config
@ -40,7 +40,9 @@ MODE_FILTER=none
|
|||||||
|
|
||||||
# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
|
# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
|
||||||
DESYNC_MARK=0x40000000
|
DESYNC_MARK=0x40000000
|
||||||
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum --dpi-desync-fwmark=$DESYNC_MARK"
|
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
|
#NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
|
#NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
|
|
||||||
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
|
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
|
||||||
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3"
|
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3"
|
||||||
|
@ -492,6 +492,13 @@ nfqws options for DPI desync attack:
|
|||||||
DESYNC_MARK=0x40000000
|
DESYNC_MARK=0x40000000
|
||||||
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum --dpi-desync-fwmark=$DESYNC_MARK"
|
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum --dpi-desync-fwmark=$DESYNC_MARK"
|
||||||
|
|
||||||
|
Separate nfqws options for http and https :
|
||||||
|
|
||||||
|
NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
|
NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
|
|
||||||
|
If a variable is not defined, the value NFQWS_OPT_DESYNC is taken.
|
||||||
|
|
||||||
flow offloading control (openwrt only)
|
flow offloading control (openwrt only)
|
||||||
donttouch : disable system flow offloading setting if selected mode is incompatible with it, dont touch it otherwise and dont configure selective flow offloading
|
donttouch : disable system flow offloading setting if selected mode is incompatible with it, dont touch it otherwise and dont configure selective flow offloading
|
||||||
none : always disable system flow offloading setting and dont configure selective flow offloading
|
none : always disable system flow offloading setting and dont configure selective flow offloading
|
||||||
|
@ -720,7 +720,14 @@ TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3"
|
|||||||
Опции nfqws для атаки десинхронизации DPI :
|
Опции nfqws для атаки десинхронизации DPI :
|
||||||
|
|
||||||
DESYNC_MARK=0x40000000
|
DESYNC_MARK=0x40000000
|
||||||
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum --dpi-desync-fwmark=$DESYNC_MARK"
|
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
|
|
||||||
|
Задание раздельных опций nfqws для http и https :
|
||||||
|
|
||||||
|
NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
|
NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
|
|
||||||
|
Если какая-то из переменных не определена, берется значение NFQWS_OPT_DESYNC.
|
||||||
|
|
||||||
Настройка системы управления выборочным traffic offload (только openwrt)
|
Настройка системы управления выборочным traffic offload (только openwrt)
|
||||||
donttouch : выборочное управление отключено, используется системная настройка, простой инсталятор выключает системную настройку, если она не совместима с выбранным режимом
|
donttouch : выборочное управление отключено, используется системная настройка, простой инсталятор выключает системную настройку, если она не совместима с выбранным режимом
|
||||||
|
@ -1,44 +0,0 @@
|
|||||||
# this custom script demonstrates how to use 2 copies of nfqws
|
|
||||||
# it preserves config settings : MODE_HTTP, MODE_HTTP_KEEPALIVE, MODE_HTTPS, MODE_FILTER, NFQWS_OPT_DESYNC
|
|
||||||
# NFQWS_OPT_DESYNC - parameters for http
|
|
||||||
# NFQWS_OPT_DESYNC2 - parameters for https. you should add this variable to config file, its absent there
|
|
||||||
|
|
||||||
QNUM2=$(($QNUM+1))
|
|
||||||
|
|
||||||
zapret_custom_daemons()
|
|
||||||
{
|
|
||||||
local opt
|
|
||||||
|
|
||||||
[ "$MODE_HTTP" = "1" ] && {
|
|
||||||
opt="$NFQWS_OPT_BASE $NFQWS_OPT_DESYNC"
|
|
||||||
filter_apply_hostlist_target opt
|
|
||||||
run_daemon 1 $NFQWS "$opt"
|
|
||||||
}
|
|
||||||
|
|
||||||
[ "$MODE_HTTPS" = "1" ] && {
|
|
||||||
opt="$NFQWS_OPT_BASE $NFQWS_OPT_DESYNC2 --qnum=$QNUM2"
|
|
||||||
filter_apply_hostlist_target opt
|
|
||||||
run_daemon 2 $NFQWS "$opt"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
zapret_custom_firewall()
|
|
||||||
{
|
|
||||||
local f4 f6
|
|
||||||
local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
|
|
||||||
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
|
||||||
|
|
||||||
[ "$MODE_HTTP" = "1" ] && {
|
|
||||||
f4="--dport 80"
|
|
||||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
|
||||||
f6=$f4
|
|
||||||
filter_apply_ipset_target f4 f6
|
|
||||||
fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
|
|
||||||
}
|
|
||||||
|
|
||||||
[ "$MODE_HTTPS" = "1" ] && {
|
|
||||||
f4="--dport 443 $first_packet_only"
|
|
||||||
f6=$f4
|
|
||||||
filter_apply_ipset_target f4 f6
|
|
||||||
fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM2
|
|
||||||
}
|
|
||||||
}
|
|
@ -6,13 +6,13 @@ zapret_custom_daemons()
|
|||||||
local opt
|
local opt
|
||||||
|
|
||||||
[ "$MODE_HTTP" = "1" ] && {
|
[ "$MODE_HTTP" = "1" ] && {
|
||||||
opt="$TPWS_OPT"
|
opt="--port=$TPPORT $TPWS_OPT"
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
run_tpws 1 "$opt"
|
run_tpws 1 "$opt"
|
||||||
}
|
}
|
||||||
|
|
||||||
[ "$MODE_HTTPS" = "1" ] && {
|
[ "$MODE_HTTPS" = "1" ] && {
|
||||||
opt="$NFQWS_OPT_BASE $NFQWS_OPT_DESYNC"
|
opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC"
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
run_daemon 2 $NFQWS "$opt"
|
run_daemon 2 $NFQWS "$opt"
|
||||||
}
|
}
|
||||||
|
@ -1,20 +0,0 @@
|
|||||||
# this script contain your special code to launch daemons and configure firewall
|
|
||||||
# use helpers from "functions" file and "zapret" init script
|
|
||||||
# in case of upgrade keep this file only, do not modify others
|
|
||||||
|
|
||||||
zapret_custom_daemons()
|
|
||||||
{
|
|
||||||
# PLACEHOLDER
|
|
||||||
echo !!! NEED ATTENTION !!!
|
|
||||||
echo Start daemon\(s\)
|
|
||||||
echo Study how other sections work
|
|
||||||
|
|
||||||
run_daemon 1 /bin/sleep 20
|
|
||||||
}
|
|
||||||
zapret_custom_firewall()
|
|
||||||
{
|
|
||||||
# PLACEHOLDER
|
|
||||||
echo !!! NEED ATTENTION !!!
|
|
||||||
echo Configure iptables for required actions
|
|
||||||
echo Study how other sections work
|
|
||||||
}
|
|
@ -20,6 +20,9 @@ CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/openwrt/custom"
|
|||||||
IPSET_EXCLUDE="-m set ! --match-set nozapret"
|
IPSET_EXCLUDE="-m set ! --match-set nozapret"
|
||||||
IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
|
IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
|
||||||
|
|
||||||
|
NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}"
|
||||||
|
NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}"
|
||||||
|
|
||||||
exists()
|
exists()
|
||||||
{
|
{
|
||||||
which "$1" >/dev/null 2>/dev/null
|
which "$1" >/dev/null 2>/dev/null
|
||||||
@ -307,7 +310,8 @@ is_flow_offload_avail()
|
|||||||
list_nfqws_rules()
|
list_nfqws_rules()
|
||||||
{
|
{
|
||||||
# $1 = '' for ipv4, '6' for ipv6
|
# $1 = '' for ipv4, '6' for ipv6
|
||||||
ip$1tables -S POSTROUTING -t mangle | grep "NFQUEUE --queue-num $QNUM --queue-bypass" | sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
|
ip$1tables -S POSTROUTING -t mangle | grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass" | \
|
||||||
|
sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
|
||||||
}
|
}
|
||||||
reverse_nfqws_rule()
|
reverse_nfqws_rule()
|
||||||
{
|
{
|
||||||
@ -374,6 +378,7 @@ zapret_apply_firewall()
|
|||||||
local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
|
local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
|
||||||
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
||||||
local f4 f6
|
local f4 f6
|
||||||
|
local qn
|
||||||
|
|
||||||
# always create ipsets. ip_exclude ipset is required
|
# always create ipsets. ip_exclude ipset is required
|
||||||
create_ipset no-update
|
create_ipset no-update
|
||||||
@ -394,9 +399,16 @@ zapret_apply_firewall()
|
|||||||
if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
|
if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
|
||||||
echo both http and https are disabled. not applying redirection.
|
echo both http and https are disabled. not applying redirection.
|
||||||
else
|
else
|
||||||
if [ "$MODE_HTTP_KEEPALIVE" = "1" ]; then
|
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
|
||||||
|
filter_apply_port_target f4
|
||||||
|
f4="$f4 $first_packet_only"
|
||||||
|
f6=$f4
|
||||||
|
filter_apply_ipset_target f4 f6
|
||||||
|
fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
|
||||||
|
else
|
||||||
if [ "$MODE_HTTP" = "1" ]; then
|
if [ "$MODE_HTTP" = "1" ]; then
|
||||||
f4="--dport 80"
|
f4="--dport 80"
|
||||||
|
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
|
fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
|
||||||
@ -405,14 +417,10 @@ zapret_apply_firewall()
|
|||||||
f4="--dport 443 $first_packet_only"
|
f4="--dport 443 $first_packet_only"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
|
qn=$QNUM
|
||||||
|
[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || qn=$(($QNUM+1))
|
||||||
|
fw_nfqws_post "$f4 $desync" "$f6 $desync" $qn
|
||||||
fi
|
fi
|
||||||
else
|
|
||||||
filter_apply_port_target f4
|
|
||||||
f4="$f4 $first_packet_only"
|
|
||||||
f6=$f4
|
|
||||||
filter_apply_ipset_target f4 f6
|
|
||||||
fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
@ -21,14 +21,14 @@ PIDDIR=/var/run
|
|||||||
|
|
||||||
NFQWS_USER=daemon
|
NFQWS_USER=daemon
|
||||||
NFQWS="$ZAPRET_BASE/nfq/nfqws"
|
NFQWS="$ZAPRET_BASE/nfq/nfqws"
|
||||||
NFQWS_OPT_BASE="--qnum=$QNUM --user=$NFQWS_USER"
|
NFQWS_OPT_BASE="--user=$NFQWS_USER --dpi-desync-fwmark=$DESYNC_MARK"
|
||||||
|
|
||||||
TPWS="$ZAPRET_BASE/tpws/tpws"
|
TPWS="$ZAPRET_BASE/tpws/tpws"
|
||||||
TPWS_LOCALHOST4=127.0.0.127
|
TPWS_LOCALHOST4=127.0.0.127
|
||||||
HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt.gz"
|
HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt.gz"
|
||||||
[ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt"
|
[ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt"
|
||||||
[ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts-user.txt"
|
[ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts-user.txt"
|
||||||
TPWS_OPT_BASE="--user=$TPWS_USER --port=$TPPORT"
|
TPWS_OPT_BASE="--user=$TPWS_USER"
|
||||||
TPWS_OPT_BASE4="--bind-addr=$TPWS_LOCALHOST4"
|
TPWS_OPT_BASE4="--bind-addr=$TPWS_LOCALHOST4"
|
||||||
TPWS_OPT_BASE6="--bind-addr=::1"
|
TPWS_OPT_BASE6="--bind-addr=::1"
|
||||||
TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
|
TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
|
||||||
@ -99,20 +99,25 @@ start_service() {
|
|||||||
|
|
||||||
case "${MODE}" in
|
case "${MODE}" in
|
||||||
tpws)
|
tpws)
|
||||||
opt="$TPWS_OPT"
|
opt="--port=$TPPORT $TPWS_OPT"
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
run_tpws 1 "$opt"
|
run_tpws 1 "$opt"
|
||||||
;;
|
;;
|
||||||
tpws-socks)
|
tpws-socks)
|
||||||
opt="$TPWS_OPT_BASE --socks $TPWS_OPT"
|
opt="--port=$TPPORT $TPWS_OPT_BASE --socks $TPWS_OPT"
|
||||||
tpws_apply_socks_binds opt
|
tpws_apply_socks_binds opt
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
run_daemon 1 "$TPWS" "$opt"
|
run_daemon 1 "$TPWS" "$opt"
|
||||||
;;
|
;;
|
||||||
nfqws)
|
nfqws)
|
||||||
opt="$NFQWS_OPT_BASE $NFQWS_OPT_DESYNC"
|
opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP"
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
run_daemon 1 "$NFQWS" "$opt"
|
run_daemon 1 "$NFQWS" "$opt"
|
||||||
|
[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || {
|
||||||
|
opt="--qnum=$(($QNUM+1)) $NFQWS_OPT_BASE2 $NFQWS_OPT_DESYNC_HTTPS"
|
||||||
|
filter_apply_hostlist_target opt
|
||||||
|
run_daemon 2 "$NFQWS" "$opt"
|
||||||
|
}
|
||||||
;;
|
;;
|
||||||
custom)
|
custom)
|
||||||
existf zapret_custom_daemons && zapret_custom_daemons $1
|
existf zapret_custom_daemons && zapret_custom_daemons $1
|
||||||
|
@ -1,44 +0,0 @@
|
|||||||
# this custom script demonstrates how to use 2 copies of nfqws
|
|
||||||
# it preserves config settings : MODE_HTTP, MODE_HTTP_KEEPALIVE, MODE_HTTPS, MODE_FILTER, NFQWS_OPT_DESYNC
|
|
||||||
# NFQWS_OPT_DESYNC - parameters for http
|
|
||||||
# NFQWS_OPT_DESYNC2 - parameters for https. you should add this variable to config file, its absent there
|
|
||||||
|
|
||||||
QNUM2=$(($QNUM+1))
|
|
||||||
|
|
||||||
zapret_custom_daemons()
|
|
||||||
{
|
|
||||||
local opt
|
|
||||||
|
|
||||||
[ "$MODE_HTTP" = "1" ] && {
|
|
||||||
opt="$NFQWS_OPT_DESYNC"
|
|
||||||
filter_apply_hostlist_target opt
|
|
||||||
do_nfqws $1 1 "$opt"
|
|
||||||
}
|
|
||||||
|
|
||||||
[ "$MODE_HTTPS" = "1" ] && {
|
|
||||||
opt="$NFQWS_OPT_DESYNC2 --qnum=$QNUM2"
|
|
||||||
filter_apply_hostlist_target opt
|
|
||||||
do_nfqws $1 2 "$opt"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
zapret_custom_firewall()
|
|
||||||
{
|
|
||||||
local f4 f6
|
|
||||||
local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
|
|
||||||
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
|
||||||
|
|
||||||
[ "$MODE_HTTP" = "1" ] && {
|
|
||||||
f4="--dport 80"
|
|
||||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
|
||||||
f6=$f4
|
|
||||||
filter_apply_ipset_target f4 f6
|
|
||||||
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
|
||||||
}
|
|
||||||
|
|
||||||
[ "$MODE_HTTPS" = "1" ] && {
|
|
||||||
f4="--dport 443 $first_packet_only"
|
|
||||||
f6=$f4
|
|
||||||
filter_apply_ipset_target f4 f6
|
|
||||||
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM2
|
|
||||||
}
|
|
||||||
}
|
|
@ -6,13 +6,13 @@ zapret_custom_daemons()
|
|||||||
local opt
|
local opt
|
||||||
|
|
||||||
[ "$MODE_HTTP" = "1" ] && {
|
[ "$MODE_HTTP" = "1" ] && {
|
||||||
opt="$TPWS_OPT"
|
opt="--port=$TPPORT $TPWS_OPT"
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
do_tpws $1 1 "$opt"
|
do_tpws $1 1 "$opt"
|
||||||
}
|
}
|
||||||
|
|
||||||
[ "$MODE_HTTPS" = "1" ] && {
|
[ "$MODE_HTTPS" = "1" ] && {
|
||||||
opt="$NFQWS_OPT_DESYNC"
|
opt="--qnum=$QNUM $NFQWS_OPT_DESYNC"
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
do_nfqws $1 2 "$opt"
|
do_nfqws $1 2 "$opt"
|
||||||
}
|
}
|
||||||
|
@ -12,7 +12,9 @@ WS_USER=tpws
|
|||||||
|
|
||||||
[ -n "$QNUM" ] || QNUM=200
|
[ -n "$QNUM" ] || QNUM=200
|
||||||
NFQWS="$ZAPRET_BASE/nfq/nfqws"
|
NFQWS="$ZAPRET_BASE/nfq/nfqws"
|
||||||
NFQWS_OPT_BASE="--qnum=$QNUM --user=$WS_USER"
|
NFQWS_OPT_BASE="--user=$WS_USER --dpi-desync-fwmark=$DESYNC_MARK"
|
||||||
|
NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}"
|
||||||
|
NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}"
|
||||||
|
|
||||||
[ -n "$TPPORT" ] || TPPORT=988
|
[ -n "$TPPORT" ] || TPPORT=988
|
||||||
TPWS="$ZAPRET_BASE/tpws/tpws"
|
TPWS="$ZAPRET_BASE/tpws/tpws"
|
||||||
@ -21,7 +23,7 @@ HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt.gz"
|
|||||||
[ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt"
|
[ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt"
|
||||||
[ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts-user.txt"
|
[ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts-user.txt"
|
||||||
|
|
||||||
TPWS_OPT_BASE="--user=$WS_USER --port=$TPPORT"
|
TPWS_OPT_BASE="--user=$WS_USER"
|
||||||
TPWS_OPT_BASE4="--bind-addr=$TPWS_LOCALHOST4"
|
TPWS_OPT_BASE4="--bind-addr=$TPWS_LOCALHOST4"
|
||||||
TPWS_OPT_BASE6="--bind-addr=::1"
|
TPWS_OPT_BASE6="--bind-addr=::1"
|
||||||
TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
|
TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
|
||||||
@ -29,6 +31,7 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
|
|||||||
# first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
|
# first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
|
||||||
TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
|
TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
|
||||||
|
|
||||||
|
|
||||||
[ -n "$IFACE_WAN" ] && IPT_OWAN="-o $IFACE_WAN"
|
[ -n "$IFACE_WAN" ] && IPT_OWAN="-o $IFACE_WAN"
|
||||||
[ -n "$IFACE_WAN" ] && IPT_IWAN="-i $IFACE_WAN"
|
[ -n "$IFACE_WAN" ] && IPT_IWAN="-i $IFACE_WAN"
|
||||||
[ -n "$IFACE_LAN" ] && IPT_ILAN="-i $IFACE_LAN"
|
[ -n "$IFACE_LAN" ] && IPT_ILAN="-i $IFACE_LAN"
|
||||||
@ -214,7 +217,7 @@ fw_tpws4()
|
|||||||
# $3 - tpws port
|
# $3 - tpws port
|
||||||
[ "$DISABLE_IPV4" = "1" ] || {
|
[ "$DISABLE_IPV4" = "1" ] || {
|
||||||
[ "$1" = 1 ] && prepare_tpws_fw4
|
[ "$1" = 1 ] && prepare_tpws_fw4
|
||||||
print_op $1 "$2" "tpws"
|
print_op $1 "$2" "tpws (port $3)"
|
||||||
[ -n "$IFACE_LAN" ] && {
|
[ -n "$IFACE_LAN" ] && {
|
||||||
ipt_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3
|
ipt_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3
|
||||||
}
|
}
|
||||||
@ -227,7 +230,7 @@ fw_tpws6()
|
|||||||
# $2 - iptable filter for ipv6
|
# $2 - iptable filter for ipv6
|
||||||
# $3 - tpws port
|
# $3 - tpws port
|
||||||
[ "$DISABLE_IPV6" = "1" ] || {
|
[ "$DISABLE_IPV6" = "1" ] || {
|
||||||
print_op $1 "$2" "tpws" 6
|
print_op $1 "$2" "tpws (port $3)" 6
|
||||||
[ -n "$IFACE_LAN" ] && {
|
[ -n "$IFACE_LAN" ] && {
|
||||||
dnat6_target
|
dnat6_target
|
||||||
[ "$DNAT6_TARGET" != "-" ] && ipt6_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6_TARGET]:$3
|
[ "$DNAT6_TARGET" != "-" ] && ipt6_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6_TARGET]:$3
|
||||||
@ -252,7 +255,7 @@ fw_nfqws_pre4()
|
|||||||
# $2 - iptable filter for ipv4
|
# $2 - iptable filter for ipv4
|
||||||
# $3 - queue number
|
# $3 - queue number
|
||||||
[ "$DISABLE_IPV4" = "1" ] || {
|
[ "$DISABLE_IPV4" = "1" ] || {
|
||||||
print_op $1 "$2" "nfqws prerouting"
|
print_op $1 "$2" "nfqws prerouting (qnum $3)"
|
||||||
ipt_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass
|
ipt_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -262,7 +265,7 @@ fw_nfqws_pre6()
|
|||||||
# $2 - iptable filter for ipv6
|
# $2 - iptable filter for ipv6
|
||||||
# $3 - queue number
|
# $3 - queue number
|
||||||
[ "$DISABLE_IPV6" = "1" ] || {
|
[ "$DISABLE_IPV6" = "1" ] || {
|
||||||
print_op $1 "$2" "nfqws prerouting" 6
|
print_op $1 "$2" "nfqws prerouting (qnum $3)" 6
|
||||||
ipt6_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass
|
ipt6_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -281,7 +284,7 @@ fw_nfqws_post4()
|
|||||||
# $2 - iptable filter for ipv4
|
# $2 - iptable filter for ipv4
|
||||||
# $3 - queue number
|
# $3 - queue number
|
||||||
[ "$DISABLE_IPV4" = "1" ] || {
|
[ "$DISABLE_IPV4" = "1" ] || {
|
||||||
print_op $1 "$2" "nfqws postrouting"
|
print_op $1 "$2" "nfqws postrouting (qnum $3)"
|
||||||
ipt_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass
|
ipt_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -291,7 +294,7 @@ fw_nfqws_post6()
|
|||||||
# $2 - iptable filter for ipv6
|
# $2 - iptable filter for ipv6
|
||||||
# $3 - queue number
|
# $3 - queue number
|
||||||
[ "$DISABLE_IPV6" = "1" ] || {
|
[ "$DISABLE_IPV6" = "1" ] || {
|
||||||
print_op $1 "$2" "nfqws postrouting" 6
|
print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
|
||||||
ipt6_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass
|
ipt6_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -458,6 +461,7 @@ zapret_do_firewall()
|
|||||||
local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
|
local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
|
||||||
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
||||||
local f4 f6
|
local f4 f6
|
||||||
|
local qn
|
||||||
|
|
||||||
# always create ipsets. ip_exclude ipset is required
|
# always create ipsets. ip_exclude ipset is required
|
||||||
[ "$1" != "1" ] || create_ipset no-update
|
[ "$1" != "1" ] || create_ipset no-update
|
||||||
@ -478,9 +482,16 @@ zapret_do_firewall()
|
|||||||
if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
|
if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
|
||||||
echo both http and https are disabled. not applying redirection.
|
echo both http and https are disabled. not applying redirection.
|
||||||
else
|
else
|
||||||
if [ "$MODE_HTTP_KEEPALIVE" = "1" ]; then
|
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
|
||||||
|
filter_apply_port_target f4
|
||||||
|
f4="$f4 $first_packet_only"
|
||||||
|
f6=$f4
|
||||||
|
filter_apply_ipset_target f4 f6
|
||||||
|
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
||||||
|
else
|
||||||
if [ "$MODE_HTTP" = "1" ]; then
|
if [ "$MODE_HTTP" = "1" ]; then
|
||||||
f4="--dport 80"
|
f4="--dport 80"
|
||||||
|
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
||||||
@ -489,14 +500,10 @@ zapret_do_firewall()
|
|||||||
f4="--dport 443 $first_packet_only"
|
f4="--dport 443 $first_packet_only"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
qn=$QNUM
|
||||||
|
[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || qn=$(($QNUM+1))
|
||||||
|
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $qn
|
||||||
fi
|
fi
|
||||||
else
|
|
||||||
filter_apply_port_target f4
|
|
||||||
f4="$f4 $first_packet_only"
|
|
||||||
f6=$f4
|
|
||||||
filter_apply_ipset_target f4 f6
|
|
||||||
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -523,20 +530,25 @@ zapret_do_daemons()
|
|||||||
|
|
||||||
case "${MODE}" in
|
case "${MODE}" in
|
||||||
tpws)
|
tpws)
|
||||||
opt="$TPWS_OPT"
|
opt="--port=$TPPORT $TPWS_OPT"
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
do_tpws $1 1 "$opt"
|
do_tpws $1 1 "$opt"
|
||||||
;;
|
;;
|
||||||
tpws-socks)
|
tpws-socks)
|
||||||
opt="$TPWS_OPT_BASE --socks $TPWS_OPT"
|
opt="--port=$TPPORT $TPWS_OPT_BASE --socks $TPWS_OPT"
|
||||||
tpws_apply_socks_binds opt
|
tpws_apply_socks_binds opt
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
do_daemon $1 1 "$TPWS" "$opt"
|
do_daemon $1 1 "$TPWS" "$opt"
|
||||||
;;
|
;;
|
||||||
nfqws)
|
nfqws)
|
||||||
opt="$NFQWS_OPT_DESYNC"
|
opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTP"
|
||||||
filter_apply_hostlist_target opt
|
filter_apply_hostlist_target opt
|
||||||
do_nfqws $1 1 "$opt"
|
do_nfqws $1 1 "$opt"
|
||||||
|
[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || {
|
||||||
|
opt="--qnum=$(($QNUM+1)) $NFQWS_OPT_DESYNC_HTTPS"
|
||||||
|
filter_apply_hostlist_target opt
|
||||||
|
do_nfqws $1 2 "$opt"
|
||||||
|
}
|
||||||
;;
|
;;
|
||||||
custom)
|
custom)
|
||||||
existf zapret_custom_daemons && zapret_custom_daemons $1
|
existf zapret_custom_daemons && zapret_custom_daemons $1
|
||||||
|
@ -306,8 +306,10 @@ select_mode_mode()
|
|||||||
;;
|
;;
|
||||||
nfqws)
|
nfqws)
|
||||||
echo
|
echo
|
||||||
echo nfqws options : $NFQWS_OPT_DESYNC
|
echo "nfqws options (default) : $NFQWS_OPT_DESYNC"
|
||||||
echo to change : edit NFQWS_OPT_DESYNC in $ZAPRET_CONFIG
|
echo "nfqws options (http) : $NFQWS_OPT_DESYNC_HTTP"
|
||||||
|
echo "nfqws options (https) : $NFQWS_OPT_DESYNC_HTTPS"
|
||||||
|
echo to change : edit NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTP, NFQWS_OPT_DESYNC_HTTPS in $ZAPRET_CONFIG
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user